Patch management is
|“||the process of acquiring, testing, and distributing patches to the appropriate administrators and users throughout the organization.||”|
|“||the process for identifying, acquiring, installing, and verifying patches for products and systems.||”|
Patch management is a critical process that can help alleviate many of the challenges of securing computing systems. A component of configuration management, it includes acquiring, testing, applying, and monitoring patches to a computer system. Flaws in software code that could cause a program to malfunction generally result from programming errors that occur during software development. The increasing complexity and size of software programs contribute to the growth in software flaws.
As vulnerabilities in a system are discovered, attackers may attempt to exploit them, possibly causing significant damage. Organizations that actively manage and use software patches can reduce the chances that the vulnerabilities in their IT systems can be exploited; in addition, they can save time and money that might be spent in responding to vulnerability-related incidents.
Malicious acts can range from defacing websites to taking control of entire systems, thereby being able to read, modify, or delete sensitive information; disrupt operations; or launch attacks against other organizations’ systems. After a vulnerability is validated, the software vendor may develop and test a patch or workaround to mitigate the vulnerability. Incident response groups and software vendors issue information updates on the vulnerability and the availability of patches.
Patch management tools automate the otherwise manual process of acquiring, testing, and applying patches to a computer system. These tools can be used to identify missing patches on systems, deploy patches, and generate reports to track the status of a patch across various computers.
Obstacles to implementing effective patch management include:
- installing patches quickly while at the same time testing them adequately before installation
- patching heterogeneous systems
- ensuring that mobile systems receive the latest patches
- avoiding unacceptable downtime when patching systems that require a high degree of availability, and
- dedicating sufficient resources to patch management.
NIST states that organizations should promptly install newly released security-relevant patches, service packs, and hot fixes and test them for effectiveness and potential side effects on the organization’s information systems.